CVE-2016-3718

MEDIUM KEV

ImageMagick <6.9.3-10, <7.0.1-1 - Server-Side Request Forgery

Title source: manual

Exploitation Summary

CVE-2016-3718 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including Nikolay Ermishkin.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in ImageMagick, including remote code execution (RCE) via command injection in delegate commands, SSRF, file deletion, file moving, and local file read. The PoC leverages insufficient filtering in the 'delegate' feature and pseudo-protocols like 'ephemeral' and 'msl'.

Description

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.

Exploits (1)

exploitdb WORKING POC

by Nikolay Ermishkin · textdosmultiple

https://www.exploit-db.com/exploits/39767

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in ImageMagick, including remote code execution (RCE) via command injection in delegate commands, SSRF, file deletion, file moving, and local file read. The PoC leverages insufficient filtering in the 'delegate' feature and pseudo-protocols like 'ephemeral' and 'msl'.

Classification

Working Poc 100%

Attack Type

Rce | Ssrf | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ImageMagick versions up to 6.9.3-9

No auth needed

Prerequisites: ImageMagick installed with default delegates.xml/policy.xml · wget or curl installed · Ghostscript installed for some PoCs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (20)

Core 20

Core References

Patch, Vendor Advisory x_refsource_confirm

http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html

Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Vendor Advisory x_refsource_confirm

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2990-1

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/538378/100/0/threaded

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39767/

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html

Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/05/03/18

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201611-21

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html

Third Party Advisory vendor-advisory x_refsource_slackware

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568

Release Notes x_refsource_confirm

https://www.imagemagick.org/script/changelog.php

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3580

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-0726.html

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3718

Scores

CVSS v3 5.5

EPSS 0.7690

EPSS Percentile 99.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2016-4739

CWE

CWE-918

Status published

Products (50)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 15.10

canonical/ubuntu_linux 16.04

imagemagick/imagemagick 7.0.0-0

imagemagick/imagemagick 7.0.1-0

imagemagick/imagemagick < 6.9.3-10

opensuse/leap 42.1

opensuse/opensuse 13.2

oracle/linux 6

... and 40 more

Published May 05, 2016

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026